Bob Butler
Hi everyone. Welcome to the PayFAQ Embedded Payments podcast brought to you by Payrix. I’m your host Bob Butler and today I’m going to be speaking with Jessica Kirkpatrick. She’s our Senior Director of Risk, Fraud, and Underwriting and we’re going to be talking about what happens if you have a security breach. So hi Jessica, welcome to the show.
Jessica Kirkpatrick
Hi Bob, thanks for having me.
Bob Butler
It’s great to have you here, but before we get started. Can you tell our audience a little bit about yourself and your software and payments background?
Jessica Kirkpatrick
Sure, so I am located in Omaha, Nebraska right in the middle of the country. I have been in payments for 18 years, the first seventeen years of that was with PayPal and the last year has been here at Payrix. All of my time and payments have been in fraud to some capacity.
Bob Butler
We know no one wants to experience a security breach, but it can happen in our digital world today. Before we get into what happens after the breach, can you talk a little bit about how a software company might detect a security compromise.
Jessica Kirkpatrick
Oh yeah, for sure, if monitoring and controls are in place and the company is actively monitoring customer behavior, a breach can be detected early which will limit the impact – looking at suspicious network activity like strange file transfers or login attempts, sudden changes to critical infrastructure, or system passwords and accounts, suspicious files in the system which may or may not have been encrypted, suspicious banking activities and transactions. All of these can bring awareness around an event as it’s actually happening. Too often though, software companies become aware of a breach when the company receives notice from their customers that they are no longer receiving their funds or they’re seeing unrecognized activity on their software account like bank account changes or contact information changes. When this happens the impact can be costly for the merchant and the software company who now have to repair their own brand reputation.
Bob Butler
So once a breach is identified. What should a software company do first?
Jessica Kirkpatrick
Well first of all, business operations are going to be heavily disrupted in the aftermath of a breach. Organizations need to be able to contain that data breach and conduct a thorough investigation into how it occurred and what systems were accessed. The very first thing that these software companies should do is to contain the breach and to do that they’re going to prevent any further compromise of personal information. Changing passwords for both the software companies and all of their merchants and their portfolios and implementing multifactor authentication is going to be key at this very first stage.
Bob Butler
Once they’ve taken those steps, what comes next? Can you talk a bit about the aftermath?
Jessica Kirkpatrick
Assess the data breach by gathering the facts and evaluating the risk including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm. They need to notify individuals who are impacted by the breach. And then review the incident and consider what actions can be taken to prevent future breaches.
Bob Butler
So we’ve got a breach. What are the biggest mistakes a software company can make once they have this breach?
Jessica Kirkpatrick
First and foremost, the biggest mistake they can do, is do nothing. I would say in addition, believing that they have fully mitigated the attack and washed their hands on it. Like going into the state of ignorance. So if a fraudster detects a vulnerability, they will come back and try again. Education is key and developing a robust education program that stays on top and up to date with the latest fraud trends will inform the employees of the company and make them aware of what they can be identified to prevent future breaches.
Bob Butler
So, after the software companies handled the breach. What should the ongoing plan look like for the future?
Jessica Kirkpatrick
First of all, they need to manage access. This goes back to that multi-factor authentication that we talked about before. White listing Ips, controlling and monitoring access for anyone who connects to the system. Create multiple level approval floors and review permissions regularly. Going back to educating employees and merchants and establishing a robust cyber-security policy informing the team to avoid unfamiliar websites and downloads. Training employees on various cyber-security events such as clickjacking and phishing attempts and then run campaigns regularly. Avoid unfamiliar websites and useless downloads. Even those that appear to be from an internal or reputable source. And really one of the most important things is keeping the systems up to date. Use your firewalls, Antivirus Protection, Wifi network security, invest in patch management systems, configure automated updates to browsers, software’s, operating systems, and using VPN if you’re on a on public wi-fi. All of these things together help ensure that the software company is not putting themselves at risk for future breach.
Bob Butler
This has been fantastic, Jessica. Any last pieces of advice you’d like to leave for a software company?
Jessica Kirkpatrick
I think really the most important thing I could say is educate and check and recheck. Always go back and complete that circle.
Bob Butler
Excellent. So, Jessica thank you for being on the show. Having spent quite a bit of time with you over the last few months, now it’s coming up on a couple of years, I know we’re both big believers in sharing knowledge and experience. So, we really appreciate you joining us today.
Jessica Kirkpatrick
Thank you, Bob.
Bob Butler
We want to be a trusted resource for software providers who are out there trying to make sense of Embedded Payments and finance, and to help them get the education they need to make the business decisions their customers and investors will thank them for.
